LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Similar documents
Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Lecture 1: Introduction to Public key cryptography

CIS 551 / TCOM 401 Computer and Network Security

Factorization & Primality Testing

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

Introduction to Modern Cryptography. Benny Chor

Public Key Algorithms

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Applied Cryptography and Computer Security CSE 664 Spring 2018

Chapter 8 Public-key Cryptography and Digital Signatures

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

Cryptography: Joining the RSA Cryptosystem

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

THE RSA CRYPTOSYSTEM

Ma/CS 6a Class 4: Primality Testing

A Guide to Arithmetic

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

basics of security/cryptography

Cryptography IV: Asymmetric Ciphers

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

CRYPTOGRAPHY AND NUMBER THEORY

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Cryptography. pieces from work by Gordon Royle

CPSC 467b: Cryptography and Computer Security

CSCI3390-Lecture 16: Probabilistic Algorithms: Number Theory and Cryptography

Lecture Notes, Week 6

CPSC 467b: Cryptography and Computer Security

Encryption: The RSA Public Key Cipher

Ma/CS 6a Class 3: The RSA Algorithm

Public-Key Cryptosystems CHAPTER 4

Mathematics of Cryptography

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Topics in Cryptography. Lecture 5: Basic Number Theory

Mathematics of Public Key Cryptography

CPSC 467b: Cryptography and Computer Security

OWO Lecture: Modular Arithmetic with Algorithmic Applications

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

The RSA cryptosystem and primality tests

10 Public Key Cryptography : RSA

Asymmetric Encryption

10 Modular Arithmetic and Cryptography

Lecture V : Public Key Cryptography

Introduction to Modern Cryptography. Benny Chor

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

RSA. Ramki Thurimella

Week 7 An Application to Cryptography

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Ma/CS 6a Class 4: Primality Testing

Introduction to Cryptography. Lecture 6

THE RSA ENCRYPTION SCHEME

Introduction to Public-Key Cryptosystems:

Euler s ϕ function. Carl Pomerance Dartmouth College

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

8.1 Principles of Public-Key Cryptosystems

Introduction to Cryptography. Lecture 8

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

CRYPTOGRAPHY AND LARGE PRIMES *

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Foundations of Network and Computer Security

Number Theory A focused introduction

Discrete Mathematics GCD, LCM, RSA Algorithm

Public Key Cryptography

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

AN INTRODUCTION TO CRYPTOGRAPHY A. LANGUASCO

THE CUBIC PUBLIC-KEY TRANSFORMATION*

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

Number Theory. Modular Arithmetic

Public Key Cryptography

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

RSA RSA public key cryptosystem

Cryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

CPSC 467: Cryptography and Computer Security

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

Number Theory & Modern Cryptography

MATH 158 FINAL EXAM 20 DECEMBER 2016

Chapter 7 Randomization Algorithm Theory WS 2017/18 Fabian Kuhn

1. Algebra 1.7. Prime numbers

Uncertainty can be Better than Certainty:

NUMBER THEORY FOR CRYPTOGRAPHY

CPSC 467b: Cryptography and Computer Security

Practice Assignment 2 Discussion 24/02/ /02/2018

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Aspect of Prime Numbers in Public Key Cryptosystem

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Cryptography. P. Danziger. Transmit...Bob...

Improving the Accuracy of Primality Tests by Enhancing the Miller-Rabin Theorem

My brief introduction to cryptography

Introduction to Cybersecurity Cryptography (Part 5)

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

A New Attack on RSA with Two or Three Decryption Exponents

Biomedical Security. Some Security News 9/17/2018. Erwin M. Bakker. Blockchains are not safe for voting (slashdot.org) : From: paragonie.

Elementary Number Theory

Public Key Encryption

Theory of Computation Chapter 12: Cryptography

Transcription:

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS Modular arithmetics that we have discussed in the previous lectures is very useful in Cryptography and Computer Science. Here we discuss several of these applications. 1. Diffie Hellman key exchange Suppose two people, Alice and Bob, want to use an insecure communication channel to agree on a secret shared key that they can use to do further encryption for long messages. The Diffie Hellman key exchange method, which is used in many of the web browsers, provides a way. It proceeds as follows: (1) Alice and Bob agree on a big prime number p and a non-zero residue x modulo p. This is public information which is also available to an adversary. A secret key will be among non-zero residues modulo p. (2) Alice chooses a large secret integer a < p, Bob chooses a large secret integer b < p. These are their private keys. (3) Alice computes her public key A x a (mod p) and sends it to Bob using insecure communication. computes his public key Likewise, Bob B x b (mod p) and sends it to Alice. An adversary could also get access to A and B. (4) Finally, Alice computes B a (mod p), and Bob computes A b (mod p). We observe that it follows from basic properties of modular arithmetic that B a = (x b ) a x ab (x a ) b A b (mod p). This residue is the secret key that Alice and Bob can use for further communications. This scheme is based on the assumption that given a residues x and y modulo p, it is difficult to find an exponent a such that x a y (mod p). This is called the discrere logarithm problem. At present time, there is no efficient (polynomial-time) algorithm for solving this problem, but there is an efficient algorithm using quantum computers. 1

2 LECTURE 5 2. Public-Key Cryptography: the RSA cryptosystem Suppose that Alice wishes to securely send a message to Bob, avoiding Eve malevolently deciphering this message. We suppose that a message constitutes a number a in the range 1 a < N for some large N (longer messages could be send in pieces). How do we achieve secure communication? We will provide a sketch of the RSA cryptosystem, invented by Rivest, Shamir and Adleman. (1) Bob picks two large primes p and q in an essentially random manner, with p q. He computes N = pq. Bob also chooses a natural number r coprime to φ(n) that is not too small. Notice that since Bob knows the prime factorisation of N, he is able to compute φ(n) = (p 1)(q 1) quickly, and hence obtain a suitable integer r (for instance, by trial and error) using the Euclidean Algorithm. Bob publishes integers N and r, but keeps the primes p and q secret. We note that since Bob knows φ(n) he can also find an integer s such that sr 1 (mod φ(n)). This integer can be found by solving the equation xr + yφ(n) = 1 with a help of the Euclid algorithm. (2) Now Alice would like to send to Bob a secret integer a with 1 a < N. She computes b a r (mod N), and send b over an insecure channel. (3) Finally, Bob computes b s (mod N). It follows from the theorem below that this is exactly the secret number a. Theorem 2.1. For all integers a, one has b s a (mod N). Proof. We observe that since sr 1 (mod φ(n)), sr = 1 + kφ(n) for some k Z. Suppose first that (a, N) = 1. Then it follows from Euler s Theorem that a φ(n) 1 (mod N). Hence, since sr 1 (mod φ(n)), we obtain that b s = a sr = a(a φ(n) ) k a (mod N) Since N = pq, it follows that when (a, N) 1, then one has (a, N) = p, q or pq. In the latter case, we have a = pq = N, and then the conclusion is trivial. Suppose then that (a, N) = p, so that p a and (a, q) = 1. In this situation the former condition yields b s a sr 0 a (mod p),

LECTURE 5 3 and in view of Fermat s Little theorem (a q 1 1 (mod q)), the latter yields b s = a sr = a(a q 1 ) k(p 1) a (mod q). Thus b s a (mod p) and b s a (mod q), whence b s a (mod pq). The situation in which (a, N) = q may be analysed in a similar manner, and so this completes the proof. It remains to discuss the feasibility and security of this cryptosystem. The first observation to make is that all of the operations required to make use of the RSA cryptosystem are fast. The application of the Euclidean Algorithm, and the operation of taking powers modulo N, have running time O(log N) arithmetic operations. This is proportional to the number of digits in N. Second, we need to have available plenty of large prime numbers (p and q) in order to derive good public keys. Fortunately, there are relatively fast primality tests available. The security of the RSA cryptosystem depends on the difficulty of factoring large integers N and computing φ(n). Aside: A probabilistic test is available with running time polynomial in log n that can discern, provably, that a number n is composite. For the numbers that survive this test, the Adleman-Pomerance-Rumely test can establish primality, or compositeness, provably in deterministic time O((log n) c log log log n ), which is close to polynomial in log n. More recently, Agrawal, Kayal and Saxena have devised an algorithm that has running time polynomial in log n. The naive factorisation algorithm supplies a factorisation of a composite integer in running time O( n) arithmetic operations. The fastest available factorisation algorithm for very large integers is the Number Field Sieve, with running time exp(c(log n) 1/3 (log log n) 2/3 ) arithmetic operations to factor a large integer n, wherein c is a suitably large positive constant. This is much larger than polynomial in log n. If a quantum computer can be built, then Shor s Quantum Algorithm would factor integers n in a time polynomial in log n, and would constitute a threat to the RSA cryptosystem. 3. Searching for prime numbers It crucial for many application to have an efficient way for generating large prime numbers and, in particular, testing that a given number is prime. One of the most basic test is based on the Fermat s Little Theorem. Recall that if the number n is prime, then for any a = 1,..., n 1, we have a n 1 1 (mod n). Hence, if we find a = 1,..., n 1 such that a n 1 1 (mod n), (3.1) then a is composite. This motivates the following definition. Definition 3.1. A number a = 1,..., n 1 is called a Fermat witness for n if (3.1) holds. Example 3.2. Let n = 2 25 + 1 Fermat thought that n is prime, but it is not. Although 2 n 1 1 (mod n),

4 LECTURE 5 one can check that 3 n 1 1 (mod n). Let n = 2 214 + 1. This number has 4933 digits. While 2 n 1 1 (mod n), one can check that 3 n 1 1 (mod n), so that n is composite. Compositeness of n was first shown in 1961, but a nontrivial factor of n was found in 2010. Theorem 3.3. If n is composite, then there exists at least one Fermat witness. Proof. Indeed, if a be a proper divisor of n, then a divides both a n 1 and n, so that (3.1) is impossible. However, finding a Fermat witness could be difficult. We show that in most cases the proportion of Fermat witnesses for composite numbers exceeds 50%. Theorem 3.4. Suppose that b n 1 1 (mod n) for some b with (b, n) = 1. Then {a = 1,..., n 1 : a n 1 1 (mod n)} > n 1. 2 Proof. We consider the sets A = {a = 1,..., n 1 : a n 1 1 (mod n)}, B = {a = 1,..., n 1 : (a, n) = 1, a n 1 1 (mod n)}, C = {a = 1,..., n 1 : (a, n) > 1}. These sets are disjoint, A B C = {1,..., n 1}, and B C are precisely the Fermat witnesses for n. For b B and a A, (ab) n 1 a n 1 b n 1 b n 1 1 (mod n), and (ab, n) = 1. This shows Ab (mod n) B. If ab a b (mod n), then a = a, so that the size of Ab (mod n) is equal to the size of A. Hence, we deduce that B A. We obtain n 1 = A + B + C A + A + 1 > 2 A. This shows that A < (n 1)/2 and B C > (n 1)/2, as required. Unfortunately, this theorem does not apply for some composite numbers. We say that n is a Carmichael number if n is composite and a n 1 1 (mod n) for all a such that (a, n) = 1. The first five Carmichael numbers are 561, 1105, 1729, 2465, 2821. Alford, Granville, and Pomerance proved that there are infinitely many Carmichael numbers. A refined version of the Fermat test, which nowadays is used in many computational programmes, goes under the name Miller-Rabin test. It is based on the following observation.

LECTURE 5 5 Theorem 3.5. If n > 2 is a prime number and n 1 = 2 e k, then for al a = 1,..., n 1, either a k 1 (mod n) or a 2ik 1 (mod n) for some i = 0,..., e 1. Proof. We observe that a 2ek 1 = (a 2e 1k ) 2 1 = (a 2e 1k 1)(a 2e 1k + 1) = = (a k 1)(a k + 1)(a 2k + 1) (a 2e 1k + 1). If n is a prime number, then a n 1 1 0 (mod n), and n must divide at least one of the factors in the above product. This implies the theorem. This result provides a useful way to test primality. Definition 3.6. Let n > 1 be an odd integer and n 1 = 2 e k for odd k. A number a = 1,..., n 1 is called a Miller-Rabin witness for n if a k 1 (mod n) and a 2ik 1 (mod n) for all i = 1,..., n 1. It was shown if n is odd and composite, then the proportion of Miller Rabin witnesses is always at least 75%. Hence, it is easier to find a Miller Rabin witness than a Fermat witness. Aside: It was proven assuming The Generalised Riemann Hypothesis (a very difficult conjecture in Number Theory) that if n is odd and composite, then there exists a a Miller Rabin witness of size at most 2(log n) 2. Hence, the Rabin Miller test is expected to provide a polynomial-time algorithm for testing primality.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback